State Lawmakers Balance Concerns on Student-Data Privacy

State lawmakers weighing advocate, industry views

Building on last year's energetic debate in states over how best to protect student data, legislators have intensified efforts in 2015 to address the issue in statehouses.

And this year, there's particularly prominent tension between privacy advocates concerned about loopholes through which data can be shared and used inappropriately, and the education technology providers who don't want restrictions on access to learning software and other services.

The template is being set by two bills in particular—one state and one federal. The California Student Online Personal Information Protection Act (SOPIPA), passed last year, has been praised by data-protection advocates and is the model for bills introduced in 15 states this year. And national attention is focused on the federal Student Digital Rights and Parental Rights Act of 2015, sponsored by Democratic U.S. Rep. Jared Polis of Colorado and Republican U.S. Rep. Luke Messer of Indiana, which is designed to limit the sale of student information to postsecondary institutions and restrict educators' discretion over its dissemination. Federal lawmakers have also recently discussed proposals to overhaul the Family Educational Rights and Privacy Act.

Good and Bad Cholesterol

According to the Data Quality Campaign, a Washington-based organization that lobbies for the effective use of student data, 177 bills have been introduced in 45 states dealing with student-data privacy and protection so far this year, as of early May. That's up from 110 bills that were introduced in 36 states in 2014. But the approval rate for new laws has actually slipped dramatically.

A big issue this year: how service providers use or don't use data, and in what situations they're held accountable.

Taking Steps

Although more bills on student-data privacy have been introduced in states this year than last—177 in 45 states, according to the Data Quality Campaign—only 10 have been signed into law. Some of the notable legislation includes:

Maryland
House Bill 298 was signed by Gov. Larry Hogan last week. The law places new requirements on service providers for data security, but critics say there are several loopholes.

Virginia
Gov. Terry McAuliffe, a Democrat, signed four bills this year related to how student data can and can’t be used, and the rights of parents concerning their children’s participation in certain surveys. House Bill 2350, for example, requires the state to create a model data-security plan for districts. It also creates the new position of chief data-security officer to help districts with their security plans.

Utah
This year, Gov. Gary Herbert, a Republican, signed House Bill 163, which requires schools to notify parents if there is a security breach involving their children’s personally identifiable data. Gov. Herbert also signed a bill that requires the state school board to submit a proposal regarding how state lawmakers can update student-privacy laws.

Source: Education Week

The right environment for providers is one in which their software or applications are tailored to students' learning experiences, and in which they can suggest other educational services based on children's data, without allowing that data to be used for things that have nothing to do with education, said Paige Kowalski, the vice president for policy and advocacy at the Data Quality Campaign.

That could mean, for example, a ban on advertisements for soft drinks in applications that students are using, but not a prohibition on recommending certain products in schools that individual student data have indicated could help the child.

"It's like cholesterol. Don't just lower cholesterol. It's a little more complicated than that. You want to raise one and lower another one," Ms. Kowalski said. "That wasn't something any of us were talking about a year ago."

Mark Schneiderman, the senior director of education policy for the Software and Information Industry Association, who testified in a legislative hearing about a Maryland bill, said one of his organization's broader goals is to smooth over inconsistencies in various states' policies, in order "to ensure that we're not creating inappropriate barriers to technology access in the name of privacy."

Avoiding Future Use

One proposal this year that creates the right balance while also establishing a clear accountability system for governing student data, according to Ms. Kowalski, is Georgia Senate Bill 89. That legislation, which was signed into law by GOP Gov. Nathan Deal earlier this month, allows student data to be used "for adaptive learning or customized student learning purposes" as well as "to recommend additional content or services to students."

The new Georgia law also requires each local school system to designate a person to address data-privacy complaints from parents, and for the state education department to create a "chief privacy officer" and develop a model policy for handling parent complaints.

Broadly speaking, states should also be working to protect student data so information from the K-12 years doesn't "come back to haunt the student later in life," said Joni Lupovitz, the vice president of policy at the San Francisco-based Common Sense Media, which advocates for student-privacy protections.

"If the worst thing that happens from focusing the public's attention on this is that companies compete on which does privacy best, I'm not going to complain," she said.

Battle Over Balance

But Maryland's tug-of-war over a recently enacted law covering student-data privacy shows that there can still be significant divides between privacy advocates and the K-12 technology industry.

House Bill 298, which was signed by GOP Gov. Larry Hogan last week, places new restrictions on the sharing of data by companies entering into contracts with schools to provide educational services. It also prohibits targeted advertising to students, as well as the creation of profiles about individual students "except in furtherance of a pre-K-12 school purpose."

One of the biggest issues with the new Maryland law is that it only covers education vendors that enter into contracts with districts, leaving a big loophole for other education technology providers, Ms. Lupovitz said.

"Is it covering the wide swath of entities, from all online services and apps and websites that are used for K-12 purposes? That's been an issue," Ms. Lupovitz said.

One consequence of limiting provisions of the law only to contractual arrangements is that websites and other services not covered by contracts aren't required to delete student-level data they acquire, said Ellen Zavian, a privacy advocate in Maryland who opposed the final version of the bill.

Speaking before Gov. Hogan signed the bill into law, Ms. Zavian added that if the governor approved it, "there is going to be a lawsuit, and it is going to come up again."

But Del. Anne Kaiser, a Democrat and sponsor of House Bill 298, said that while her original bill was stronger than what Gov. Hogan ultimately signed, she stressed that the bill represents notable progress from where the state stood previously. She added that she hasn't closed the book on her efforts to strengthen protections for student data.

"We're planning next year to ... have a commission look more deeply at some of these issues, and sharpen some of the provisions," Ms. Kaiser said.

Industry Influence

Although there isn't a single unified opinion in the educational technology industry about the best privacy policies, and while some companies are beginning to market themselves as good stewards of data, the industry in general has paid close attention to such bills, Ms. Lupovitz said.

"We've seen markedly increased industry lobbying on this issue in the states," she said. "That has had some effects on some of the legislation."

Asked about the Maryland law, Mr. Schneiderman said that the state Senate's changes to the bill simply "addressed practical concerns that senators had about the bill coming out of the House."

In addition to the 15 states where lawmakers have introduced bills modeled on the California law, which the K-12 technology industry has indicated needs some clarification, lawmakers have introduced bills in 10 other states that are based on model legislation written by Microsoft that's also similar in some respects to the California statute, according to the Data Quality Campaign.

Despite the uptick in the number of bills lawmakers have considered, so far in 2015 legislative sessions, only half a dozen states have enacted new laws addressing student-data privacy, totaling 10 new statutes, according to recent information from the DQC. Last year, 21 states enacted more than two dozen such laws. According to the National Conference of State Legislatures, 31 states had adjourned or were due to adjourn their sessions this year by mid-May.

Mr. Schneiderman indicated that the industry hasn't dramatically changed its lobbying regarding the issue from last year to this year. But he did say his group has worked with lawmakers to clarify portions of the several bills modeled on California's law.

Vol. 34, Issue 31, Pages 19-20

Published in Print: May 20, 2015, as Student-Data Use a Key Issue in Debates Over Privacy Bills

Notice: We recently upgraded our comments. (Learn more here.) If you are logged in as a subscriber or registered user and already have a Display Name on edweek.org, you can post comments. If you do not already have a Display Name, please create one here.

Ground Rules for Posting
We encourage lively debate, but please be respectful of others. Profanity and personal attacks are prohibited. By commenting, you are agreeing to abide by our user agreement.
All comments are public.